How Public Shame Might Force a Revolution in Computer Security

The numbers are depressing. An estimated 700 million data records were stolen in 2015. But despite the billions spent on computer security, flaws that allow such attacks are fixed slowly. A June report found that financial companies, for example, take on average over five months to fix known online security vulnerabilities.

“The security industry gets $75 billion every year to try to secure things, and what you get for that is everybody is hacked all the time,” said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking at the Black Hat security conference in Las Vegas on Wednesday.

Yet Grossman and some other veterans of the security industry have lately become more optimistic. They see a chance that companies will soon have much stronger financial incentives to invest in securing and maintaining software.

A new nonprofit called the Cyber Independent Testing Laboratory (CITL) has developed ways to score and compare the security of software products such as Web browsers and operating systems. The aim is to help consumers and companies choose the most secure products, and to shame those putting our data at risk into doing better.

That effort comes at a time insurance companies have begun to take an interest in understanding the risks for security breaches, something that could create new financial incentives for companies to pay attention to security. Insurers could pressure companies in a similar way to the industry’s role in advancing auto and electrical safety. PwC reported last year that companies are being forced to rely more heavily on cyber insurance because the costs of corporate data breaches are growing fast.

Peiter Zatko, a high-profile hacker known as Mudge, speaking at the Black Hat security conference this week.

CITL was established by high-profile hacker Peiter Zatko, also known as Mudge, and his wife, Sarah, who is also a security researcher. The pair presented their first results at the Black Hat conference Wednesday, showing how analysis methods they had developed can assign a range of security scores to different software programs.

CITL is modeled on Consumer Reports, and will publish scores aimed at non-experts as well as more detailed assessments for industry insiders. “We’ve been trying to get people to care about security for years and if someone says ‘Okay, what do I do?’ we’re pretty vague about the next step,” said Sarah Zatko. “We may advise what browser to use but we don’t have much evidence to back that up.”

The Zatkos presented preliminary data comparing the vulnerability to attack of programs for Apple computers. The Google Chrome browser was ranked in the 75th percentile of all the programs analyzed for that operating system, with Safari coming in at 59. Microsoft Office and the Mozilla Firefox browser were more vulnerable, trailing at 37 and 35, respectively. CITL analysis of Microsoft’s Windows 10 suggests that the company uses more up-to-date methods on its own operating system. The more detailed analyses by CITL showed that Microsoft and Mozilla had neglected to use standard ways to harden software against attack in their programs for Apple PCs.

The CITL has funding from the Pentagon’s research arm, the Air Force Research Lab, and the Ford Foundation. It plans to release its first large data sets early next year, and is already talking with insurance companies interested in using its data.

Grossman hopes that CITL’s analyses could help force companies to take responsibility for their security failings. Studies suggest security incidents have little effect on a company’s stock price, and legal liability claims usually fail. Nor do companies selling software and security products offer anything like the warranties or guarantees common for more traditional goods and services.

Grossman predicts that data from CITL and some startups working on ways to score and compare companies’ resilience to security threats will also empower insurers to force a big shift in attitudes to security.

He estimates that companies currently spend around $3.5 billion a year on insurance that pays out in the event of a corporate breach, with spending growing at 50 percent or more annually. Insurers are currently focused on expanding the market, and don’t base premiums or payouts on close scrutiny of the state of a company’s technology. But they are working on gathering the actuarial data needed to do so. “I think it’s only a matter of time until the information security industry’s masters change,” Grossman said.